A tool to check the security settings of Github Organizations.

  • By Crash Override
  • Last update: Dec 22, 2022
  • Comments: 16

License OpenSSF Scorecard Go Report Card

Github Analyzer

Audits a GitHub organization for potential security issues. The tool is currently in pre-alpha stage and only supports limited functionality, however we will be actively adding checks in the upcoming months, and welcome feature requests or contributions! Once the analysis is complete, a static HTML with the summary of the results is rendered in localhost:3000 as shown below:

gh-analyzer

Available Checks

Name Category Severity Resource Affected
Application restrictions disabled Least Privilege High Organization
Insecure Webhook payload URL Information Disclosure High Webhook
Advanced security disabled for new repositories Tooling and Automation Configuration Medium Organization
Secret scanning disabled for new repositories Tooling and Automation Configuration Medium Organization
Organization 2FA disabled Authentication Medium Organization
Users without 2FA configured Authentication Low User Account
Permissions overview for users Least Privilege Informational User Account
OAuth application summary Least Privilege Informational Organization

Sample Output

For each issue identified, a JSON with associated information will be generated. A sample output snippet is as follows:

...
 {
  "id": "CONFIG_AS_1",
  "name": "Secret scanning disabled for new repositories",
  "severity": 3,
  "category": "Information disclosure to untrusted parties",
  "tags": [
   "GitHub Advanced Security feature"
  ],
  "description": "Secret scanning disabled for org testorg",
  "resource": [
   {
    "id": "testorg",
    "kind": "Organization"
   }
  ],
  "cwes": [
   319
  ],
  "remediation": "Pleasee see https://docs.github.com/en/[email protected]/code-security/secret-scanning/configuring-secret-scanning-for-your-repositories for how to enable secret scanning in your repositories"
 },
 {
  "id": "AUTH_2FA_2",
  "name": "Users without 2FA configured",
  "severity": 2,
  "category": "Authentication",
  "description": "The following collaborators have not enabled 2FA: testuser1, testuser2",
  "resource": [
   {
    "id": "testuser1",
    "kind": "UserAccount"
   },
   {
    "id": "testuser2",
    "kind": "UserAccount"
   }
  ],
  "cwes": [
   308
  ],
  "remediation": "Please see https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/configuring-two-factor-authentication for steps on how to configure 2FA for individual accounts"
 }
...

How to run

You can see available options via the --help flag.

Running locally

  • Install with: 
    go install -v github.com/crashappsec/github-analyzer/cmd/[email protected]
  • Run with: 
    $GOPATH/bin/github-analyzer \
  --organization <your org name> \
  --token "$GH_SECURITY_AUDITOR_TOKEN"

Running using Docker

  • After cloning the repo, build the container using:

    docker compose build --no-cache

  • Run

    docker compose run \
    --rm --service-ports \
    github-analyzer \
        --organization <your org name> \
        --output output \
        --token "$GH_SECURITY_AUDITOR_TOKEN"

Permissions

For API-based based checks, you need to pass in GitHub Token (either personal access token (PAT) or token derived from GitHub app installation) with the appropriate permissions. Example usage:

github-analyzer \
    --organization <your org name> \
    --token "$GH_SECURITY_AUDITOR_TOKEN"

See our wiki for instructions on setting up a token to be used with the github-analyzer.

For experimental scraping-based checks, you need to pass in your username and password, as well your two factor authentication one-time-password, as needed. Example usage:

github-analyzer \
    --organization crashappsec \
    --token "$GH_SECURITY_AUDITOR_TOKEN" \
    --userPermissionStats \
    --enableScraping \
    --username "$GH_SECURITY_AUDITOR_USERNAME" \
    --password "$GH_SECURITY_AUDITOR_PASSWORD" \
    --otpSeed "$GH_SECURITY_AUDITOR_OTP_SEED"

See our wiki for instructions on setting up a token to be used with the analyzer.

Credits

Project was originally ported from Mike de Libero's auditor with the author's permission.

Download

github-analyzer.zip

Comments(16)

  • 1

    [Question] Complete list of checks

    Hi Is there a complete list of checks for organizations, repos, members, actions, runners, etc? I see there's a table in the README, but I think these are high level checks and there are sub-checks for those?
    Thanks!

  • 2

    error if token does not have permissions

    if token does not have permissions cli blows up with:

    ➜ ./bin/auditor \
              --organization crashappsec \
              --tokenName GIT_ADMIN
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x7cb5e8]

goroutine 1 [running]:
github.com/crashappsec/github-security-auditor/pkg/github/org.Organization.AuditCoreStats({0xc0001341c0, 0xc000138780, 0xc00002e630, 0x64, 0xc00042e120, 0x0, 0x0, 0x0, 0x0, 0x0, ...}, ...)
        /root/Code/co/github-security-auditor/pkg/github/org/org.go:467 +0x88
github.com/crashappsec/github-security-auditor/pkg/github/org.Organization.Audit({0xc0001341c0, 0xc000138780, 0xc00002e630, 0x64, 0xc00042e120, 0x0, 0x0, 0x0, 0x0, 0x0, ...}, ...)
        /root/Code/co/github-security-auditor/pkg/github/org/org.go:601 +0x350
github.com/crashappsec/github-security-auditor/pkg/github/auditor.GithubAuditor.AuditOrg({0xc00002800a?}, {0x7ffeab19b571, 0xb}, 0x0?)
        /root/Code/co/github-security-auditor/pkg/github/auditor/auditor.go:66 +0x1cc
main.runCmd()
        /root/Code/co/github-security-auditor/cmd/main/main.go:67 +0x2f3
main.NewRootCommand.func2(0xc000138280?, {0xa841a0?, 0x4?, 0x4?})
        /root/Code/co/github-security-auditor/cmd/main/main.go:127 +0x17
github.com/spf13/cobra.(*Command).execute(0xc000138280, {0xc0000240b0, 0x4, 0x4})
        /root/.go/pkg/mod/github.com/spf13/[email protected]/command.go:876 +0x67b
github.com/spf13/cobra.(*Command).ExecuteC(0xc000138280)
        /root/.go/pkg/mod/github.com/spf13/[email protected]/command.go:990 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
        /root/.go/pkg/mod/github.com/spf13/[email protected]/command.go:918
main.main()
        /root/Code/co/github-security-auditor/cmd/main/main.go:24 +0x25
  • 3

    oauth permissions prototype (related to #19)

    This PR adds scraping support and should be addressing #19 once complete however need to work out the OTP bits still.

    probably a yubikey config/wrapper issue or need google otp? need to investigate

    ❯ ./bin/auditor --organization crashappsec --enableScraping --username $GH_SECURITY_AUDITOR_USERNAME --password "$GH_SECURITY_AUDITOR_PASSWORD" --otp cccccbbrnjtjvrhbkrknncvtntvuitubjncebrnfgkct
2022-09-29T22:45:29.214+0300    error   scraping/scraping.go:20 received 422 response submitting otp form

    Filed https://github.com/google/go-github/issues/2483 to ask about the OTP issue

  • 4

    Added sample webhook auditor

    This commit addresses #23 but does not actively check the SSL verification and headers using the ping URL. I've set up a test org for that github-security-auditor-test-org so @miki725 we could set up some tests using it and add the rest of the functionality. Moreover adds resource identifiers so that we can create fingerprints for each issue / affected resource and allow users to mark things as false positives in their local repos

  • 5

    Added zap logger and basic pkg restructure (fixes #5)

    This PR is the first in a sequence of PRs to add functionality to the github security auditor, and only does basic restructuring of packages, splitting command line flags from and github package logic and adding zap for logging. More over, introduces an issues package for tracking security issues and statistics as return values of audits. State is overall wip still, so leaving this as a checkpoint / FYI primarily

    There are various TODOs which will be addressed in subsequent PRs such as:

    • [ ] Parity on the original functionality of the repo (e.g., webhook stats etc)
    • [ ] Add tests for the individual components
    • [ ] Refactor of context uses
    • [ ] Switch to use a common Audit interface for the different entities (e.g., org/pkg/repo)
  • 6

    CI for tests/releases

    this PR:

    • [x] adds CI for running tests (both running tool and unit tests)
    • [x] adds CI to make releases which should publish multiple pre-built go binaries
    • [x] removes version.txt so that CI automatically populates it both for binary distributions as well as via goreleaser
    • [x] optimizes Dockerfile to create smallest possible image just based on alpine+binary
  • 7

    Handle null responses in case of TPS throttling

    This PR does not pass a global backoff to all clients doing pagination but tries to have them run independently as much as possible and also handles a missed case where github's response could be nil after TPS errors

  • 8

    updated Readme and added permission checks (fixes #19)

    Created a wrapper over go-github's scraper module, modifying some of the internals, and also pulled in the recommended changes from @miki725 which had been left out from https://github.com/crashappsec/github-security-auditor/issues/19.

    This should now be successfully pulling oauth information if one follows the steps outlined in the Readme

  • 9

    adding pre-commit config

    partially fixes https://github.com/crashappsec/github-security-auditor/issues/8, just the lint bits

    as this will be open-source using more standard pre-commit flows rather than relying on docker for everything

  • 10

    some cleanups

    Addressing some of the nits/asks of previous PRs and refactoring some of the pagination code. Will probably need to use interfaces for pagination as generics don't allow access to nested types

  • 11

    Parity with original repo

    Added the rest of the functionality of the original repo. This is still untouched code for the most part, and will be refactoring to add a generic handler for pagination w/ backoff across all clients, as well as a passing context with cancel as needed.

    Will also need to change error handling and add tests, then we will be in a good place to start adding functionality

  • 12

    Check dependabot settings in forked repos

    As per https://github.blog/changelog/2022-11-07-dependabot-pull-requests-off-by-default-for-forks/, dependabot PRs will be off by default for forked repositories, enable a warn-level in case this is not explicitly enabled

  • 13

    allow to output report json to stdout

    currently it goes to --output directory however in some cases it might be easier to go to stdout or specific file to enable flows like:

    github-analyzer --json | jq ...
  • 14

    Add support for text and HTML reports - without webserver

    Thank you for creating this tool.

    I would like to run the analyzer, and upon completion, have a text and/or html report of the findings. I do not want the webserver running as I'd like to run this as a GitHub Action. Upon writing the report, the analyzer should exit(0).

  • 15

    Check pat policy settings for org

    Check https://docs.github.com/en/organizations/managing-programmatic-access-to-your-organization/setting-a-personal-access-token-policy-for-your-organization settings

  • 16

    Check commits from personal emails

    Often users commit into an enterprise repo but their git is locally configured with their personal email. We could check for last commits of users in the org and verify they are using an enterprise email account. This would allow tighter control of contributors if such policy is a thing that would be of interest to the org

Popular Tag

Related